Congratulations to AcaCandy on her 100,000th post!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
acer black screen blue screen boot bsod computer connection crash css dell driver drivers email error ethernet excel firefox firefox 3 hard drive internet internet explorer itunes laptop linux malware monitor motherboard network networking outlook outlook 2003 outlook 2007 outlook express partition password printer problem router slow software sound spyware trojan usb video virus vista windows windows xp wireless
Web Design & Development
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Internet & Networking > Web Design & Development >
Designing Application Security.


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Closed Thread
 
Thread Tools
Gibble's Avatar
Distinguished Member with 27,137 posts.
  
Join Date: Oct 2001
Location: Striking or Scoring
Experience: The Alpha and Omega
07-Feb-2007, 02:52 PM #1
Designing Application Security.
I want to try and start a brainstorming session on implementing security in an application. Specifically, in regards to the data model, and functions that would implement it. As well, as a user friendly means to administer such in the application.

Now, at it's core, we require a logins/users table, an Actions table and a permissions table.

Users
UserId
Login
Password

Actions
ActionId
Description

Permissions
PermissionId
UserId
ActionId

As well as a couple basic functions.
Bool Login(Login, Password)
Bool Logout()
Bool HasPermission(UserId, ActionId)

For your basic application, little more is needed. Problems arise, when hundreds and thousands of user permissions must be managed in a rather large application. At which time, we logically start grouping users.

Groups
GroupId
UserId
Name

And setting Permissions on the Group...rather than the user level, possibly still keeping user level permissions for refinement. For that we can simply add a column to our Permissions Table for granting to a group and checking for a value in either column for that row.

Permissions
PermissionId
GroupId
UserId
ActionId

This again, often falls short, when two people both have permission to perform the same action in an application, but one should only be for a specific set of data, and the other, for different data. For example company A and company B...but how then do we refine access at this point while still keeping an efficient database, and manageable permissions? Where do we extend this basic data model we have built?
__________________
izme: You know...it's kind of nice to sit atop Civilized debate and look down below on all of the uncivilized master debating we are here...just out of the fight zone

Gibble: Now you know what it's like to be Canadian.
Gibble's Avatar
Distinguished Member with 27,137 posts.
  
Join Date: Oct 2001
Location: Striking or Scoring
Experience: The Alpha and Omega
07-Feb-2007, 03:38 PM #2
After some thought...I've come with a workable data model...I think, that's flexible enough to allow/disallow data access even though a person has role access to perform the task at hand...


When setting up and defining Actions, you also define Data Access Filters, that are basic templates for setting up what a person has access to, for later granting them.

I envision tables similar too the following.

DataAccessFilters
DataAccessFilterId
ActionId
Name <--Filter on Courses
Description
Table <--Courses
Column <--CourseType
Comparison <--Between
ValueDataType <--Integer

When granting a person/group an Action, you also grant based upon the data and store that permission in a Data Access Grants table...similar to the following.

DataAccessGrants
DataAccessGrantId
PermissionId
Value1 <--17
Value2 <--20
CRUD <--RU


This would allow the person/group given role permissions in the Permissions table (referenced by PermissionId) to Read or Update if the CourseType column of the Courses table is between 17 and 20.


The trick now, is when writing the function in code that is associated with this action to read these tables and determine if in fact the person is trying to access data they have been granted access too.


...and the turtle takes another step towards solving his conundrum.
__________________
izme: You know...it's kind of nice to sit atop Civilized debate and look down below on all of the uncivilized master debating we are here...just out of the fight zone

Gibble: Now you know what it's like to be Canadian.
Closed Thread

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

« Previous Thread | Web Design & Development | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who help people like you solve computer problems. See our Welcome Guide to get started.



Thread Tools


Related Sites: 56k Dial-Up | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 11:34 PM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.